The Critical Role of First Responders in Collecting Digital Evidence

As technology advances, so have the knowledge and duties required of law enforcement officers at a crime scene. The scope of evidence to be searched for and collected at a crime scene now includes digital evidence such as cell phones and computer networking devices. Some of these devices might be hidden in ceilings or other locations that are not immediately evident. At the same time, forensics experts face an ever-expanding backlog of digital evidence due to the increased use of computers. Training and preparing first responders to perform preliminary investigations could help reduce the digital evidence backlog and help law enforcement make significant headway into solving a range of crimes, including:

Computer threats

Missing person cases

Fraud cases

Theft

NIJ supports the development of tools that allow law enforcement officers who are not computer experts to conduct basic analysis of digital evidence at crime scenes. Onsite analysis by first responders would speed up initial investigative tasks, reducing the workload of digital forensics experts and allowing them to focus on more in-depth digital evidence analysis.

Why Traditional Forensics Techniques Are Less Effective With Digital Evidence

In the early days of digital evidence collection and analysis, law enforcement officers would confiscate a computer, and then create an exact duplicate of the original evidentiary media — called an image — onto another device. Analysis of the device's image would then be conducted in a controlled setting.

However, some data cannot be recovered once the device is shut down, so law enforcement has moved away from "grab-and-go" tactics. The emphasis is now on capturing as much data as possible at crime scenes while devices are still running.

When dealing with digital evidence, first responders should still observe general forensic and procedural principles, including:

Evidence should not be changed while it is being collected, secured and transported.

Digital evidence should be examined only by those trained specifically for that purpose.

Everything done during the seizure, transportation and storage of digital evidence should be fully documented, preserved and available for review.

Types of Images Captured by Digital Evidence Investigative Tools

Digital evidence investigative tools capture two types of images:

Physical images: Images of passwords stored in memory, whole disk encryption keys, information stored by Windows and other user-related information that may not be stored once volatile memory is flushed upon reboot or shutdown. Physical images hold up better in court as evidence.

Logical images: Information that could be easily viewed by any user, including a list of running processes and programs, screen captures (to document open windows) and graphic files or documents that may be relevant to an open investigation.